I think I came across a pretty significant bug/security issue while testing this module today... I have set up a user relationship called "Friend". All users have all relationship permissions for this relationship (have/maintain/request/delete) so that they can manage this relationship.

The URL for one of the "cancel" friend request links (for a "sent" request) is /user/1/relationships/requested/124/cancel... So, user 1 requested a "Friend" relationship with another user (let's say user # 99), and that pending relationship has an ID of 124.

If I log in as a third user (let's say user # "100") and use that above URL in my browser, it tells me that access is denied. But if I change the UID "1" to "100" in the URL, it allows me to confirm and then delete user # 1's pending sent request/relationship, as if user # 1 was deleting/cancelling the sent request/relationship. The same thing is true for approve/decline on Received relationship requests, but it appears to not be an issue with "remove" (current/existing/approved relationships).

This seems to me like a major issue. Any user can just start guessing at UIDs and RIDs and cause all sorts of problems on a site. It seems like the permissions for this module should go a level deeper... instead of "Maintain/Request/Delete xxx Relationships" it should be "Maintain/Request/Delete Own xxx Relationships", similar to the User Relationships UI permissions and the Node: Edit Own permissions.

How can this issue be resolved?

Comments

hockey2112 created an issue.